Re: iptables 'syn but not new' packets

[Cedric Blancher <blancher () cartel-info fr>]

le jeu 13-12-2001 à 15:16, Leonardo Rodrigues a écrit :
>     I understand 'restart the firewall' as a 'iptables -F; iptables -X;
> iptables -Z' and not as a really machine reboot. In the case of a
> machine reboot, it would be very difficult ( if not impossible )
> guarantee that opened connections would remain opened. Who knows how
> much time the machine will take to boot ????

Sure. You can imagine you have a spare firewall for failover using VRRP.
Shut down the master, and slave will be acting, with a kind of reseted
state.

>     I've not REAL tested this, but with this simple tests, seems that a
> soft restart of the firewall ( 1-2 seconds ) would NOT lost opened
> connections, as states are NOT done by directly by ip_tables. 
>     What do you think on that ??

iptables and Netfilter, although they are closely linked, are two
seperate things. iptables is a userland tool that aims to configure
Netfilter ip_table stuff.
Netfilter also provides ip_conntrack, which acts separatly from
ip_table. Even if you do not use --match state, having ip_conntrack
loaded _will_ classify _all_ connections state.
Doing "iptables -F; iptables -X; iptables -Z" will only act on ip_table,
but not on ip_conntrack. Nowadays, I am not aware of a tool that can act
on ip_conntrack tables (we can grab state table, but not yet act on).

The be quick, iptables does not act on ip_conntrack stuff.

-- 
Cédric Blancher
Consultant sécurité systèmes et réseaux
Cartel Informatique - Groupe CGBI - http://www.cartel-info.fr/
Tél : 01 44 06 97 87 - Fax 01 44 06 97 99